In particular SECCOMP_SET_MODE_STRICT looks like it would be very easy to use (and pretty easy for any Unix-like kernel to implement) and would be great for things like packet parsers that just read stdin and write stdout.